Events & Signals

Events are the raw security signals that TIDALBAY ingests from your connected integrations. Each event is evaluated against scoring rules to determine its impact on an employee's security score.

Event Lifecycle

  1. Ingestion: Events arrive from integrations via API, webhook, or polling
  2. Normalization: Raw events are mapped to TIDALBAY's canonical event schema
  3. Attribution: Events are linked to an employee based on email, user ID, or device
  4. Evaluation: Matching scoring rules are applied to determine point impact
  5. Scoring: The employee's score is updated in real-time
  6. Actions: Any triggered automated actions are executed

Event Categories

Identity Events

Events from identity providers (Okta, Azure AD, Google Workspace):

  • auth.login_success — Successful authentication
  • auth.login_failure — Failed authentication attempt
  • auth.mfa_disabled — MFA removed from account
  • auth.mfa_enrolled — MFA enabled on account
  • auth.suspicious_login — Login from unusual location or device
  • auth.account_locked — Account locked due to failures
  • auth.password_changed — Password updated

Email Events

Events from email security platforms:

  • email.phishing_reported — Employee reported suspicious email
  • email.malicious_click — Clicked link flagged as malicious
  • email.attachment_opened — Opened flagged attachment
  • email.credential_submitted — Submitted credentials on phishing page

Endpoint Events

Events from EDR and device management:

  • endpoint.malware_detected — Malware found on device
  • endpoint.policy_violation — Device policy not met
  • endpoint.os_outdated — OS version unsupported
  • endpoint.encryption_disabled — Disk encryption not enabled

Training Events

Events from security awareness training:

  • training.completed — Training module completed
  • training.overdue — Assigned training past deadline
  • training.assessment_passed — Passed assessment quiz
  • training.assessment_failed — Failed assessment quiz

Simulation Events

Events from phishing simulations:

  • sim.email_opened — Opened simulated phishing email
  • sim.link_clicked — Clicked simulated phishing link
  • sim.credential_submitted — Submitted credentials on simulation page
  • sim.reported — Reported simulated phishing email

Event Schema

{
  "id": "evt_abc123",
  "source": "okta",
  "type": "auth.mfa_disabled",
  "timestamp": "2025-01-15T10:30:00Z",
  "employee": {
    "id": "emp_xyz789",
    "email": "john.doe@company.com"
  },
  "details": {
    "ip_address": "192.168.1.1",
    "user_agent": "Mozilla/5.0...",
    "location": {
      "country": "US",
      "city": "San Francisco"
    }
  },
  "scoring": {
    "rules_matched": ["rule_mfa_disabled"],
    "impact": -30,
    "score_before": 85,
    "score_after": 55
  }
}
Event Retention
Events are retained according to your tenant's data retention policy (default: 12 months). Scoring impact decays over time but the event record is preserved for the full retention period.

Custom Events

Send custom events to TIDALBAY via the Webhooks API. Custom events follow the same lifecycle as integration events and can be matched by custom scoring rules.

Next Steps